A newly discovered ransomware family calling itself Patcher is targeting macOS users, but according to security researchers from ESET, who discovered the ransomware last week, Patcher bungles the encryption process and leaves affected users with no way of recovering their files.
Based on the currently available information, the new Patcher ransomware is distributed via torrent files that advertise license crackers for applications like Adobe Premiere Pro or Microsoft Office for Mac.
These torrent files download a ZIP file on users’ computers. After unzipping the archive, users get a binary file whose name ends in the “Patcher” string.
This detail is very important because it may be a clue that users can utilize to spot new Patcher-infected torrents in the future, which the ESET team hasn’t yet picked up.
As for Patcher itself, ESET researchers say this ransomware is very poorly coded.
The first sign that users are dealing with a useless file, potentially malware-infected, is when they execute the crack file, which launches a window with no background.
If users close this window and launch the crack tool again, the window won’t show up anymore.
Patcher doesn’t send the encryption key to its author
Clicking the “Start” button starts the encryption process. According to ESET researchers, Patcher generates a 25-character-long random number that it uses as the encryption key to lock user files.
The bad news is that Patcher doesn’t send this encryption key to an online server, so the person/group behind the ransomware has no way of decrypting your files.
Even worse, the encryption key is long enough to make recovery impossible via a brute-force attack that tries to guess the key.
Other signs that Patcher is an amateurish attempt at Mac ransomware are spread all over the ransomware’s encryption process, which contains various errors.
Patcher encryption process
The actual encryption process begins when users press the Start button in the image above, and with the generation of the encryption key via the arc4random_uniform function.
Patcher will take the user’s files, one by one, and lock them in a password-protected archive, where the password is the previously generated encryption key.
The same encryption key is used for all files, which is considered bad practice among ransomware operators, who generally prefer layered encryption models, which are harder to crack.
Patcher will search and encrypt files in the user’s /Users directory and in all mounted external and network storage drives found under /Volumes.
The ransomware also adds the .crypt extension at the end of all encrypted files. A file named image.png will become image.png.crypt.
Once the encryption process ends, Patcher drops the following ransom note, named README!.txt, in all the user’s directories.
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption method. What do I do ? So , there are two ways you can choose: wait for a miracle or start obtaining BITCOIN NOW! , and restore YOUR DATA the easy way If You have really valuable DATA, you better NOT WASTE YOUR TIME, because there is NO other way to get your files, except make a PAYMENT FOLLOW THESE STEPS: 1) learn how to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version) 2)send 0.25 BTC to 1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb 3)send your btc address and your ip (you can get your ip here https://www.whatismyip.com) via mail to email@example.com 4)leave your computer on and connected to the internet for the next 24 hours after payment, your files will be unlocked. (If you can not wait 24 hours make a payment of 0.45 BTC your files will be unlocked in max 10 minutes) KEEP IN MIND THAT YOUR DECRYPTION KEY WILL NOT BE STORED ON MY SERVER FOR MORE THAN 1 WEEK SINCE YOUR FILE GET CRYPTED,THEN THERE WON'T BE ANY METHOD TO RECOVER YOUR FILES, DON'T WASTE YOUR TIME!
After this, Patcher changes the last modified date of all encrypted files to February 13, 2010, for no apparent reason, with the touch command.
At this point, Patcher attempts to load the diskutil app to safely erase free space on the root partition. Patcher’s poor coding shows up again, because an error prevents the ransomware from executing this operation, as the author has mistyped the diskutil path in macOS.
Patcher uses one Bitcoin address and a Mailinator account
Two other signs that Patcher was an insufficiently planned out project comes from the fact that the ransomware’s author has used the same Bitcoin address to take payments for all users.
When users pay (which is not recommended), the author asks users to send him an email to a public Mailinator inbox, which everyone can access.
All of these are signs that the Patcher author has no experience with ransomware operations, as pranksters could delete emails from this public inbox.
In the past, Mac users have been targeted by other ransomware families, such as KillDisk and KeRanger, both much better coded and with a lot more attention to detail when compared to Patcher.
“This new crypto-ransomware, designed specifically for macOS, is surely not a masterpiece,” says ESET’s Marc-Etienne M.Léveillé. “Unfortunately, it’s still effective enough to prevent the victims accessing their own files and could cause serious damage.”
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.